This kind of attack is possible, but this is the wrong way to prevent against it. If a hacker can change the details of the form, they can just as easily send the secret data via an AJAX GET without submitting the form at all. The correct way to prevent an XSS attack is to be sure to encode all untrusted content on the page such that a hacker doesn’t have the ability to execute their own JavaScript in the first place.

More on encoding…

Sample code on StackOverflow is a great example of encoding. Imagine what a mess it would be if every time someone posted some example JavaScript, it actually got executed in the browser. E.g.,

<script type="text/javascript">alert('foo');</script>

Were it not for the fact that SO encoded the above snippet, you would have just seen an alert box. This is of course a rather innocuous script – I could have coded some JavaScript that hijacked your session cookie and sent it to evil.com/hacked-sessions. Fortunately, however, SO doesn’t assume that everyone is well intentioned, and actually encodes the content. If you were to view source, for example, you would see that SO has encoded my perfectly valid HTML and JavaScript into this:

<script type="text/javascript">alert('foo');</script>

So, rather than embedding actual < and > characters where I used them, they have been replaced with their HTML-encoded equivalents (< and >), which means that my code no longer represents a script tag.

Anyway, that’s the general idea behind encoding. For more info on how you should be encoding, that depends on what you’re using server-side, but most all web frameworks include some sort of “out-of-the-box” HTML Encoding utility. Your responsibility is to ensure that user-provided (or otherwise untrusted) content is ALWAYS encoded before being rendered.